Control 6.5 in ISO 27002:2022 covers the need for organisations to define the information security duties and responsibilities that remain valid should personnel stop work or move to a new department.
These duties and responsibilities should be communicated to the employee as well as any other relevant party.
Information duties and responsibilities are the obligations that an employee has to his or her employer when it comes to handling confidential information. The duty to keep information confidential is a legal obligation in most states, so it’s important for employees to understand what they are required to do when it comes to protecting their employer’s information.
In most cases, employers have a right to expect their employees not only to protect confidential information but also not use that information for personal gain such as through insider trading or other illegal activities.
Examples of information security duties and responsibilities include:
As an organisation, it’s important to understand your responsibilities when handling personal information because doing so will help you avoid violating privacy laws, which can have serious consequences for both your business and your employees.
Controls are classified using attributes. Using these, you can quickly match your control selection with commonly used industry terms and specifications.
Attributes for control 6.5 are:
| Control Type | Information Security Properties | Cybersecurity Concepts | Operational Capabilities | Security Domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Human Resource Security #Asset Management | #Governance and Ecosystem |
Control 6.5 is a control that should be implemented when an employee or contractor leaves the organisation, or the contract is terminated before it expires.
The purpose of this control is to protect the organisation’s information security interests as part of the process of changing or terminating employment or contracts.
This control can also work to protect against the risk of employees who have access to sensitive information and processes, misusing their position for personal gain or malicious intent, particularly after they have left the organisation or job role.
Control 6.5 aims to protect the organisation’s information security interests as part of the process of changing or terminating employment or contracts. This includes employees, contractors and third parties who have access to your sensitive information.
Implementing the control means assessing whether any individuals (including those employed by a third party) who have access to your sensitive personal data are leaving your organisation and whether it is necessary to take steps to ensure that they do not retain and continue to access your sensitive personal data after their departure.
If you find that someone is leaving and there is a risk that sensitive personal data may be disclosed, then you must take reasonable steps before they leave, or as soon as possible after they have left, so this does not happen.
In order to meet the requirements for control 6.5, the terms and conditions of an individual’s employment, contract, or agreement should specify any information security responsibilities and duties that remain in effect after the end of the relationship.
Information security duties may also be included in other contracts or agreements that extend beyond the end of an employee’s employment.
Anyone who quits or changes jobs should have their information security responsibilities and duties passed to a new person, and all the access credentials deleted and a new one created.
More information on how this works can be found in the ISO 27002:2022 standard document.
Control 6.5 in the new ISO 27002:2022 is not a new control, rather, it is a modified version of control 7.3.1 in ISO 27002:2013.
While the basics of these two controls are similar, there are slight variations. For example, the implementation guidance in both versions are slightly different.
The first part of the implementation guidance in control 7.3.1 in ISO 27002: 2013 states that
“The communication of termination responsibilities should include on-going information security requirements and legal responsibilities and, where appropriate, responsibilities contained within any confidentiality agreement and the terms and conditions of employment continuing for a defined period after the end of the employee’s or contractor’s employment.”
The same section in control 6.5 of ISO 27002:2022 states that
“The process for managing termination or change of employment should define which information security responsibilities and duties should remain valid after termination or change. This can include confidentiality of information, intellectual property and other knowledge obtained, as well as responsibilities contained within any other confidentiality agreement.
Responsibilities and duties still valid after termination of employment or contract should be contained in the individual’s terms and conditions of employment, contract or agreement. Other contracts or agreements that continue for a defined period after the end of the individual’s employment can also contain information security responsibilities.”
That said, no matter how much their wordings differ, both controls have a mostly similar structure and function in their respective contexts. The language used in control 6.5 has been simplified to make it more user-friendly, so that those who will be using the standard will be able to relate to its content more easily.
It is important to also point out that the 2022 version of ISO 27002 also comes with a statement of purpose and attributes table for each control to help users better understand and implement the controls. These two sections are missing in the 2013 edition.
In line with the recommendations of control 6.5, the human resources department is usually in charge of the total termination process in most organisations, and it collaborates with the supervising manager of the individual who is transitioning to oversee the information security elements of the related procedures.
Personnel supplied by an external party (for example, a supplier) is terminated by the external party in line with the terms and conditions of the contract that was established between the organisation and the external party.
We’ll give you an 81% headstart
from the moment you log in
Book your demo
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
The ISO 27002:2013 standard has not been significantly changed. The standard was just updated to facilitate usability. It is not necessary for any organisation that is currently in compliance with ISO 27002:2013 to take any additional steps to maintain compliance with ISO 27002.
In order to comply with the revisions in ISO 27002:2022, the organisation will only need to make minor modifications to its existing processes and procedures, particularly if there is any intention to re-certify.
If you would like to learn more about how these changes to control 6.5 will influence your organisation, please see our guide on ISO 27002:2022.
Companies can use ISMS.Online to help them with their ISO 27002 compliance efforts by providing them with a platform that makes it easy to manage their security policies and procedures, update them as needed, test them and monitor their effectiveness.
Our cloud-based platform allows you to quickly and easily manage all the aspects of your ISMS, including risk management, policies, plans, procedures and more, in one central location. The platform is easy to use and has an intuitive interface that makes it simple to learn how to use.
ISMS.Online enables you to:
If you are a business that needs to comply with ISO 27001 and/or ISO 27002, ISMS.Online offers a full range of features to help you achieve this important goal.
Get in touch today to book a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 5.7 | New | Threat intelligence |
| 5.23 | New | Information security for use of cloud services |
| 5.30 | New | ICT readiness for business continuity |
| 7.4 | New | Physical security monitoring |
| 8.9 | New | Configuration management |
| 8.10 | New | Information deletion |
| 8.11 | New | Data masking |
| 8.12 | New | Data leakage prevention |
| 8.16 | New | Monitoring activities |
| 8.23 | New | Web filtering |
| 8.28 | New | Secure coding |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 6.1 | 07.1.1 | Screening |
| 6.2 | 07.1.2 | Terms and conditions of employment |
| 6.3 | 07.2.2 | Information security awareness, education and training |
| 6.4 | 07.2.3 | Disciplinary process |
| 6.5 | 07.3.1 | Responsibilities after termination or change of employment |
| 6.6 | 13.2.4 | Confidentiality or non-disclosure agreements |
| 6.7 | 06.2.2 | Remote working |
| 6.8 | 16.1.2, 16.1.3 | Information security event reporting |
| ISO/IEC 27002:2022 Control Identifier | ISO/IEC 27002:2013 Control Identifier | Control Name |
|---|---|---|
| 7.1 | 11.1.1 | Physical security perimeters |
| 7.2 | 11.1.2, 11.1.6 | Physical entry |
| 7.3 | 11.1.3 | Securing offices, rooms and facilities |
| 7.4 | New | Physical security monitoring |
| 7.5 | 11.1.4 | Protecting against physical and environmental threats |
| 7.6 | 11.1.5 | Working in secure areas |
| 7.7 | 11.2.9 | Clear desk and clear screen |
| 7.8 | 11.2.1 | Equipment siting and protection |
| 7.9 | 11.2.6 | Security of assets off-premises |
| 7.10 | 08.3.1, 08.3.2, 08.3.3, 11.2.5 | Storage media |
| 7.11 | 11.2.2 | Supporting utilities |
| 7.12 | 11.2.3 | Cabling security |
| 7.13 | 11.2.4 | Equipment maintenance |
| 7.14 | 11.2.7 | Secure disposal or re-use of equipment |
